Controlling where output can be processed

JES2 normally processes output on any device that matches the output's selection criteria. You might, however, want to control the specific devices certain users can access. For example, you might want the users who process your payroll to be the only users of a particular printer.

By defining the device to RACF® (as a profile in RACF class WRITER), you can limit access to that device to a user or group of users. When a defined device selects a piece of output for processing, JES2 passes an authorization request to SAF; access to the device depends on the response JES2 receives. RACF profile names for devices have the following formats:

For local devices,
```
jesname.LOCAL.devicename
```
For RJE devices,
```
jesname.RJE.devicename
```
Note: RJE printers and punches are specified as Rnnnnn.PRm and Rnnnnn.PUm.
For data destined to a node,
```
jesname.NJE.nodename
```

where:

jesname: The JES2 system that defines the node
devicename: The name of the JES2 initialization statement that defines this device.
nodename: The name of the NODE(nnnn) statement that defines the node.

Your security administrator would then grant access to the devices to the userids and groupids you have identified.

Also, if security label verification is active, RACF ensures that the device can write this data depending on the security label specified. If your RACF options require the security label of the device to be equal to or greater than the security label of the output, the device will not be able to process the output.

If a device cannot select output because the device does not have sufficient access to that output, the output remains on the output queue until you:

Change the security attributes of the device; you must then stop and restart that device for the security attributes to take affect.
Authorize the userid associated with the output to the device.
Change the work selection criteria of the output so that a device with the appropriate security attributes can select the output.

RACF also allows your installation to print security labels on printed output that PSF-managed printers process. See z/OS Security Server RACF Security Administrator's Guide for information about printing security labels on job output using RACF. Also, see z/OS MVS JCL User's Guide for information about using the OUTPUT JCL statement to print security labels.